.mobileconfig onDemand Wireguard VPN not auto-disconnecting as expected

Developer Tools & Services Developer Forums
tomatoandcake
tomatoandcake OP
Created 6h
Replies 3
Boosts 0
Views 63
Participants 3

Hi Apple Development forums,

I am having trouble getting a Wireguard VPN config setup to automatically disconnect on all domain requests other than one specific domain.

I have my .mobileconfig designed as so:

                    <dict>
                        <key>Action</key>
                        <string>EvaluateConnection</string>
                        <key>ActionParameters</key>
                        <array>
                            <dict>
                                <key>Domains</key>
                                <array>
                                    <string>service.domainname.com</string>
                                </array>
                                <key>DomainAction</key>
                                <string>ConnectIfNeeded</string>
                                <key>ProbeURL</key>
                                <string>https://service.domainname.com/</string>
                            </dict>
                        </array>
                    </dict>
                    <dict>
                        <key>Action</key>
                        <string>Disconnect</string>
                        <key>DNSDomainMatch</key>
                        <array>
                            <string>*.com</string>
                            <string>*.org</string>
                            <string>*.net</string>
                        </array>
                    </dict>
                    <dict>
                        <key>Action</key>
                        <string>Disconnect</string>
                    </dict>
                </array>

The issue I'm having is regardless of whether I note a *.com or simply have the action Disconnect noted - the VPN stays connected after navigating to https://service.domainname.com.

would anyone have any thoughts on this? Or am I missing something here?

Replies  3
Boosts  0
Views  63
Participants  3
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
5h

Thanks for the post. For help with a VPN app, please post in the Apple Support Community.

Alternatively, the developer of that particular VPN application.

The Apple Developer Forums are for questions about APIs and features intended specifically for developers. Hope this helps.

Albert Pascual
  Worldwide Developer Relations.

0
tomatoandcake
tomatoandcake OP
4h

I appreciate the response. For clarification I was following the development guides here: https://developer.apple.com/documentation/devicemanagement/vpn/vpn-data.dictionary/ondemandruleselement.

from what I can tell I was following them to configure this - I didn't think it was specific to one VPN type to another.

I will post in the standard forum and see if someone can help.

thanks,

0
John Galt
John Galt OP
1h

I understand what you want to do, but I am wondering if you are going about it the right way.

Please excuse me for asking what is likely to be a newbie type question since I have no familiarity with Wireguard.

As I understand it, you want to force a VPN connection for one specific domain, and want to explicitly disconnect that VPN connection for all others. The newbie type question I have for you is: how is that remote service informed of that disconnection? To my limited knowledge, when you connect to a specific website, that connection remains active until it is explicitly terminated. The usual way that happens is it times out, or that server explicitly drops you.

Otherwise, it seems to me you are waiting for something to happen that doesn't normally happen on its own, and perhaps that's the reason it is not disconnecting when you simply navigate to a different domain (assuming that is your expectation).

FYI I am reluctant to participate in that Apple Support Community post because it is very likely to attract unhelpful replies such as "why would you want to do that" and / or "VPNs are useless"... which may be true. Owing to the recent enormous popularity of commercial / "coffee shop" VPNs they have attracted millions of uniformed / misinformed people that run into trouble with them, then come to ASC for help. For them, removing the commercial VPN is the instant solution.

"Answers" like that will not help you resolve your concern though, so I don't want to encourage them by even participating. What you want to do is reasonable, and I understand, though I might not be able to help.

Perhaps you would be better off posting a question in

https://www.reddit.com/r/WireGuard/

I realize that amounts to asking for swimming lessons in a cesspool, but you might find a few nuggets floating around in there. Personally I despise Reddit.

0
.mobileconfig onDemand Wireguard VPN not auto-disconnecting as expected
First post date Last post date
 
 
Q